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® A method and apparatus is provided in a data 
processing system for securing access to particular 
files which are stored in a computer-accessible 
memory media. A file management program is pro- 
vided as an operating system component of the data 
processing system. A plurality of files are stored in a 
computer-accessible memory media, including at 
least one encrypted file and at least one unencryp- 
ted file. For each encrypted file, a preselected por- 
tion of the file is recorded in memory, a decryption 
block is generated which includes information which 
can be utilized to decrypt the file, and the decryption 
block is incorporated in the file in lieu of the 
preselected portion which has been recorded in 
memory. Then, a file management program is uti- 
lized to monitor data processing system calls for 
files stored in the computer-accessible memory me- 
dia. The file management program determines 
whether the called file has an associated decryption 
block. The called file is processed in a particular 
manner dependent upon whether or not the called 
file has an associated decryption block. 
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CROSS-REFERENCE TO RELATED APPLICA- 
TION 

The present application is related to U. S. 
Patent Application Serial No. 08/235,033, entitled 
"Method and Apparatus for Enabling Trial Period 
Use of Software Products:Method and Apparatus 
for Utilizing a Decryption Stub." further identified 
by Attorney Docket No. BT9-93-070: U. S. Patent 
Application Serial No. 08/235,035, entitled "Method 
and Apparatus for Enabling Trial Period Use of 
Software Products:Method and Apparatus for Allow- 
ing a Try-and-Buy User Interaction," further iden- 
tified by Attorney Docket No. DA9-94-008; U. S. 
Patent Application Serial No. 08/235,032, entitled 
"Method and Apparatus for Enabling Trail Period 
Use of Software Products:Method and Apparatus 
for Generating a Machine-Dependent Identifica- 
tion," further identified by Attorney Docket No. 
DA9-94-009; and U. S. Patent Application Serial 
No. 08/238.418, entitled "Method and Apparatus for 
Enabling Trial Period Use of Software Pro- 
ducts:Method and Apparatus for Allowing the Dis- 
tribution of Software Objects," further identified by 
Attorney Docket No. DA9-94-011, all filed of even 
date herewith by the inventors hereof and assigned 
to the assignee herein, and incorporated by refer- 
ence herein. 

BACKGROUND OF THE INVENTION 

1. Technical Field: 

The present invention relates in general to 
techniques for securing access to software objects, 
and in particular to techniques for temporarily en- 
crypting and restricting access to software objects. 

2. Description of the Related Art: 

The creation and sale of software products has 
created tremendous wealth for companies having 
innovative products, and this trend will continue 
particularly since consumers are becoming ever- 
more computer literate as time goes on. Computer 
software is difficult to market since the potential 
user has little opportunity to browse the various 
products that are available. Typically, the products 
are contained in boxes which are shrink-wrapped 
closed, and the potential customer has little or no 
opportunity to actually interact with or experience 
the software prior to purchasing. This causes con- 
siderable consumer dissatisfaction with products, 
since the consumer is frequently forced to serially 
purchase a plurality of software products until an 
acceptable product is discovered. This is perhaps 
one significant cause of the great amount of soft- 
ware piracy which occurs in our economy. A poten- 
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tial software purchaser will frequently "borrow" a 
set of diskettes from a friend or business associate, 
with the stated intention of using the software for a 
temporary period. Frequently, such temporary use 

5 extends for long intervals and the potential cus- 
tomer may never actually purchase a copy of the 
software product, and may instead rely upon the 
borrowed copy. 

Since no common communication channel ex- 

10 ists for the sampling of software products, such as 
those created in movie theaters by movie trailers, 
and in television by commercials, software manu- 
facturers are forced to rely upon printed publica- 
tions and direct mail advertisements in order to 

75 advertise new products and solicit new customers. 
Unfortunately, printed publications frequently fail to 
provide an accurate description of the product, 
since the user interaction with the product cannot 
be simulated in a static printed format. The manu- 

20 facturers of computer software products and the 
customers would both be well served if the cus- 
tomers could have access to the products prior to 
making decisions on whether or not to purchase 
the product, if this could be accomplished without 

25 introducing risk of unlawful utilization of the prod- 
uct. 

The distribution of encrypted software products 
is one mechanism a software vendor can utilize to 
distribute the product to potential users prior to 

30 purchase; however, a key must be distributed 
which allows the user access to the product. The 
vendor is then forced to rely entirely upon the 
honesty and integrity of a potential customer. Un- 
scrupulous or dishonest individuals may pass keys 

35 to their friends and business associates to allow 
unauthorized access. It is also possible that unscru- 
pulous individuals may post keys to publicly-acces- 
sible bulletin boards to allow great numbers of 
individuals to become unauthorized users. Typi- 

40 cally, these types of breaches in security cannot be 
easily prevented, so vendors have been hesitant to 
distribute software for preview by potential cus- 
tomers. 

45 SUMMARY OF THE INVENTION 

It is one object of the present invention to 
provide a method and apparatus for distributing 
software objects from a producer to potential users 

50 which allows the user a temporary trial period with- 
out subjecting the software product to unnecessary 
risks of piracy or unauthorized utilization beyond 
the trial interval. Preferably this is accomplished by 
providing a software object on a computer-acces- 

55 sible memory media along with a file management 
program. Preferably, the software object is revers- 
ibly functionally limited, through one or more par- 
ticular encryption operations. The computer-acces- 

3 
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sible memory media is shipped from the producer 
to the potential user utilizing conventional mail and 
delivery services. Upon receipt, the potential user 
loads the file management program into a user- 
controlled data processing system and associates 
it with the operating system for the data processing 
system. Then, the computer-accessible memory 
media is read utilizing the user-controlled data pro- 
cessing system. The file management program is 
executed by the user-controlled data processing 
system and serves to restrict access to the soft- 
ware object for a predefined and temporary trial 
period. During the temporary trial mode of opera- 
tion, the software object is temporarily enabled by 
reversing the reversible functional limitation of the 
software object. This is preferably accomplished by 
decryption of the encrypted software object when 
the software object is called by the operating sys- 
tem of the user-controlled data processing system. 
The file management program preferably prevents 
copying operations, so the encrypted software pro- 
ject is temporarily decrypted when it is called by 
the operating system. If the potential user elects to 
purchase the software object, a permanent use 
mode of operation is entered, wherein the func- 
tional limitation of the software object is perma- 
nently reversed, allowing unlimited use to the soft- 
ware object by the potential user. This facilitates 
browsing operations which allow the potential user 
to review the software and determine whether it 
suits his or her needs. 

The file management program continuously 
monitors the operating system of the user-con- 
trolled data processing system for operating sys- 
tem input calls and output calls. The file manage- 
ment program identifies when the operating system 
of the user-controlled data processing system calls 
for a software object which Is subject to trial- 
interval browsing. Then, the file management sys- 
tem fetches a temporary access key associated 
with the software object, and then examines the 
temporary access key to determine If It is valid. 
Next, the file management program reverses the 
functional limitation of the software object, and 
passes it to the data processing system for pro- 
cessing. 

It is another objective of the present Invention 
to provide a method and apparatus for distributing 
a software object from a source to a user, wherein 
a software object is encrypted utilizing a long-lived 
encryption key, and directed from the source to the 
user. The encrypted software object Is loaded onto 
a user-controlled data processing system having a 
particular system configuration. A numerical ma- 
chine identification based at least in part upon the 
particular configuration of the user-controlled data 
processing system is then derived. Next, a tem- 
porary key is derived which is based at least In 



BNSDOCID: <EP 0681233A1_I_> 



part upon the numerical machine identification and 
the long-lived encryption key. A long-lived key gen- 
erator Is provided for receiving the temporary key 
and producing the long-lived encryption key. The 
5 temporary key allows the user to generate for a 
prescribed interval the long-lived encryption key to 
access the software object. These operations are 
performed principally by a file management pro- 
gram which is operable in a plurality of modes. 

10 These modes include a set up mode of operation, 
a machine identification mode of operation, and a 
temporary key derivation mode of operation. During 
the set up mode of operation, the file management 
program is loaded onto a user-controlled data pro- 

15 cessing system and associated with an operating 
system for the user-controlled data processing sys- 
tem. During the machine identification mode of 
operation, the file management program is utilized 
to derive a numerical machine identification based 

20 upon at least on attribute of the user-controlled 
data processing system. During the temporary key 
derivation mode of operation, a temporary key is 
derived which is based at least in part upon the 
numerical machine identification. The file manage- 
rs ment program also allows a trial mode of operation, 
wherein the file management program is utilized by 
executing it with the user-controlled data process- 
ing system to restrict access to the software object 
for an interval defined by the temporary key, during 

30 which the long-lived key generator is utilized in the 
user-controlled data processing system to provide 
the long-lived key in response to receipt of at least 
one input including the temporary key. 

It is yet another objective of the present inven- 

35 tion to provide a method and apparatus in a data 
processing system for securing access to particular 
files which are stored in a computer-accessible 
memory media. A file management program is 
provided as an operating system component of the 

40 data processing system. A plurality of files are 
stored In the computer-accessible memory media, 
including at least one encrypted file and at least 
one unencrypted file. For each encrypted file, a 
preselected portion is recorded In computer mem- 

45 ory, a decryption block is generated which includes 
information which can be utilized to decrypt the 
file, and the decryption block is incorporated into 
the file in lieu of the preselected portion which has 
been recorded elsewhere In computer memory. 

50 The file management program is utilized to monitor 
data processing operation calls for a called file 
stored in the computer-accessible memory media. 
The file management program determines whether 
the called file has an associated decryption block. 

55 The file management program processes the called 
file in a particular manner dependent upon whether 
or not the called file has an associated decryption 
block. The incorporation of the decryption block 

4 
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does not change the size of the encrypted file, thus 
preventing certain types of processing errors. Dur- 
ing the trial interval, the encrypted file is main- 
tained in an encrypted condition, and cannot be 
copied. If the potential user opts to purchase the 
software product, a pernnanent key is provided 
which results in replacennent of the preselected 
portion to the file in lieu of the decryption block. 
Once the decryption block is removed, the encryp- 
ted file may be decrypted to allow unrestricted use 
by the purchaser. Preferably, the file management 
program is utilized to Intercept files as they are 
called by the operating system, and to utilize the 
decryption block to derive a name for a key file 
and read the called file. The decryption block of 
each encrypted file includes a validation segment 
which is decrypted by the file management pro- 
gram and compared to a elected segment for the 
called file to determine whether the key can de- 
crypt the particular file. If the decrypted validation 
segment matches a known clear text validation 
segment, the file is then dynamically decrypted as 
it is passed for further processing. 

It is yet another objective of the present inven- 
tion to provide a method and apparatus in a data 
processing system for securing access to particular 
files which are stored in a computer-accessible 
memory media. A file management program is 
provided as an operating system component of a 
data processing system. In a computer-accessible 
memory media available to the data processing 
system, at least one encrypted file and one unen- 
crypted file are stored. The encrypted file has 
associated with it an unencrypted security stub 
which is at least partially composed of executable 
code. The file management program is utilized to 
monitor the data processing system calls for a 
called file stored in the computer accessible mem- 
ory media, todetermine whether the called file has 
an associated unencrypted security stub, and to 
process the called file in a particular manner de- 
pendent upon whether or not the called file has an 
associated unencrypted security stub. More par- 
ticularly, if it is determined that the called file has 
no associated unencrypted security stub, the called 
file is allowed to be processed. However, if it is 
determined that the called file has an associated 
unencrypted security stub, it must be examined 
before a decision can be made about whether or 
not to allow it to be processed. First, the unencryp- 
ted security stub is examined in order to obtain 
information which allows decryption operations to 
be performed. Then, the decryption operations are 
performed. Finally, the called file is allowed to pass 
for further processing. Preferably, the called file is 
dynamically decrypted as it is passed to the op- 
erating system for processing. Also, the unencryp- 
ted security stub is separated from the called file 



prior to execution of the called file. 

However, if the unencrypted security stub ac- 
cidentally remains attached to the called file, pro- 
cessing operations must be stopped, and a mes- 
5 sage must be posted in order to prevent the pro- 
cessor from becoming locked-up. 

It is still another objective of the present inven- 
tion to provide a method and apparatus for distrib- 
uting a software object from a source to a user. A 

10 computer-accessible memory media is distributed 
from the source to a potential user. It includes a 
software object which is encrypted utilizing a pre- 
determined encryption engine and a long-lived and 
secret key. An interface program is provided which 

75 facilitates interaction between the source and the 
user. The interface program includes machine 
identification module which generates a machine 
identification utilizing at least on predetermined at- 
tribute of the user-controlled data processing sys- 

20 tern. It also further includes a long-lived and secret 
key generator which receives as an input at least a 
temporary key and produces as an output a long- 
lived and secret key. A validation module is pro- 
vided which tests temporary key determined its 

25 validity. The source of the software object main- 
tains a temporary key generator which receives as 
an input at least a machine identification and pro- 
duces an output of the temporary key. An interface 
program is loaded onto the user-controlled data 

30 processing system. The machine identification 
module is utilized to examine at least one predeter- 
mined attribute of the user-controlled data process- 
ing system and to generate the machine identifica- 
tion. During interaction between the source and the 

35 user, the machine identification is communicated 
over an insecure communication channel. At the 
source of the software object, the temporary key is 
generated utilizing the machine identification (and 
other information) as an input to the temporary key 

40 generator. During interaction between the source 
and the user, the temporary key is communicated, 
typically over an insecure communication channel. 
Next, the validation module is utilized to determine 
the validity of the temporary key. The long-lived 

45 and secret key generator is then utilized to receive 
the temporary key and generate the long-lived and 
secret key in order to decrypt and temporarily gain 
access to the software object. The user is also 
provided with an import module and an export 

50 module which allow for the utilization of portable 
memory media to transfer the encrypted software 
object, a key file, and a machine identification file 
from one machine in a distributed data processing 
system to another machine in the distributed data 

55 processing system, while allowing the temporary 
key to allow temporary trial access to the software 
object. 
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The above as well as additional objectives, 
features, and advantages of the present invention 
will become apparent in the following detailed writ- 
ten description. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The novel features believed characteristic of 
the invention are set forth in the appended claims. 
The invention itself, however, as well as a preferred 
mode of use, further objectives and advantages 
thereof, will best be understood by reference to the 
following detailed description of an illustrative em- 
bodiment when read in conjunction with the accom- 
panying drawings, wherein: 

Figure 1 is a pictorial representation of a stand- 
alone data processing system, a telephone, and 
a variety of computer-accessible memory media 
all of which may be utilized in the implementa- 
tion of the preferred technique of enabling trial 
period use of software products; 
Figure 2 is a pictorial representation of a distrib- 
uted data processing system which may utilize 
the technique of the present invention of en- 
abling trial period use of software products; 
Figure 3 is a block diagram representation of 
data processing system attributes which may be 
utilized to generate a machine identification, in 
accordance with the present invention; 
Figure 4 is a block diagram depiction of a rou- 
tine for encrypting software objects; 
Figure 5 is a pictorial representation of the ex- 
change of information between a source (a soft- 
ware vendor) and a user (a customer), in accor- 
dance with the teachings of the present inven- 
tion; 

Figure 6 is a flowchart representation of the 
broad steps employed in building a user inter- 
face shell, in accordance with the present inven- 
tion; 

Figure 7 is a flowchart representation of vendor 
and customer interaction in accordance with the 
present invention; 

Figures 8, 9, 10a, and 10b depict user interface 

screens which facilitate trial period operations in 

accordance with the present invention; 

Figure 1 1 depicts a user interface which is used 

to initiate a temporary access key; 

Figure 12 is a block diagram depiction of the 

preferred technique of generating a machine 

identification; 

Figure 13 is a block diagram depiction of an 
encryption operation which is utilized to encrypt 
a machine identification, in accordance with the 
present invention; 

Figure 14 is a block diagram representation of 
the preferred technique for generating a product 
key, in accordance with the present invention; 
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Figure 15 is a block diagram representation of a 
preferred technique utilizing a temporary prod- 
uct key to generate a real key which can be 
utilized to decrypt one or more software objects; 

5 Figures 16 and 17 depict a preferred technique 

of validating the real key which is derived in 
accordance with the block diagram of Figure 15; 
Figure 18 is a block diagram depiction of the 
preferred routine for encyrpting a key file which 

10 contains information including a temporary prod- 
uct key; 

Figure 19 is a block diagram depiction of the 
preferred technique of handling an encryption 
header in an encrypted file, in accordance with 

15 the present invention; 

Figure 20 depicts in block diagram form the 
technique of utilizing a plurality of inputs in the 
user-controlled data processing system to derive 
the real key which may be utilized to decrypt an 

20 encrypted software object; 

Figure 21 depicts a decryption operation utiliz- 
ing the real key derived in accordance with 
Figure 20; 

Figure 22 is a block diagram depiction of a 
25 comparison operation which is utilized to deter- 
mine the validity of the real key; 
Figure 23 depicts a decryption operation utiliz- 
ing a validated real key; 

Figures 24, 25, 26, 27, 28 depict the utilization 
30 of an encryption header in accordance with the 
present invention; 

Figure 29 is a flowchart representation of the 
preferred technique of providing a trial period of 
use for an encrypted software object; 
35 Figures 30 and 31 depict export and import 
operations which may be utilized to perform trial 
period use operations in a distributed data pro- 
cessing system; 

Figures 32 and 33 provide an alternative view of 
40 the import and export operations which are de- 
picted in Figures 30 and 31 ; 
Figures 34 and 35 provide a block diagram 
depiction of an alternative technique for perform- 
ing an export/import operation. 

45 

DETAILED DESCRIPTION OF PREFERRED EM- 
BODIMENT 

The method and apparatus of the present in- 
50 vention for enabling trail period use of software 
products can be utilized in stand-alone PCs such 
as that depicted in Figure 1, or in distributed data 
processing systems, such as that depicted in Fig- 
ure 2. In either event, temporary trial period access 
55 to one or more software products depends upon 
utilization of the trial product on a particular data 
processing system with particular data processing 
system attributes. This is accomplished by encryp- 

6 
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ting the trial software product utilizing a temporary 
access key which is based upon one or nnore data 
processing system attributes. Figure 3 graphically 
depicts a plurality of system configuration at- 
tributes, which may be utilized in developing a 
temporary access key, as will be described in 
greater detail herebelow. To begin with, the envi- 
ronment of the stand-alone data processing system 
of Figure 1, and the distributed data processing 
system of Figure 2 will be described in detail, 
followed by a description of particular system con- 
figuration attributes which are depicted in Figure 3. 

With reference now to the figures and in par- 
ticular with reference to Figure 1, there is depicted 
a pictorial representation of data processing sys- 
tem 10 which may be programmed in accordance 
with the present invention. Asmay be seen, data 
processing system 10 includes processor 12 which 
preferably includes a graphics processor, memory 
device and central processor (not shown). Coupled 
to processor 12 is video display 16 which may be 
implemented utilizing either a color or monoch- 
romatic monitor, in a manner well known in the art. 
Also coupled to processor 12 is keyboard 14. Key- 
board 14 preferably comprises a standard com- 
puter keyboard which is coupled to the processor 
by means of a cable. 

Also coupled to processor 12 is a graphical 
pointing device, such as mouse 20. Mouse 20 is 
coupled to processor 12, in a manner well known in 
the art, via a cable. As is shown, mouse 20 may 
include left button 24, and right button 26, each of 
which may be depressed, or "clicked", to provide 
command and control signals to data processing 
system 10. While the disclosed embodiment of the 
present invention utilizes a mouse, those skilled in 
the art will appreciate that any graphical pointing 
device such as a light pen or touch sensitive 
screen may be utilized to implement the method of 
the present invention. Upon reference to the fore- 
going, those skilled in the art will appreciate that 
data processing system 10 may be implemented 
utilizing a so-called personal computer, such as the 
Model 80 PS/2 computer manufactured by Interna- 
tional Business Machines Corporation of Armonk, 
New York. 

While the present invention may be utilized in 
stand-alone data processing systems, it may also 
be utilized in a distributed data processing system, 
provided the import and export routines of the 
present invention are utilized to transfer one or 
more encrypted files, their encrypted key files, and 
associated file management programs through a 
portable memory media (such as diskettes or 
tapes) between particular data processing units 
within the distributed data processing system. 
While the import and export routines of the present 
invention will be described in greater detail 



herebelow, it is important that a basic distributed 
data processing system be described and under- 
stood. 

Figure 3 provides a block diagram depiction of 
5 a plurality of data processing system attributes 
which may be utilized to uniquely identify a particu- 
lar data processing system (whether a stand-alone 
or a node in a distributed data processing system), 
and which further can be utilized to generate in the 
10 machine identification value which is utilized to 
derive or generate a temporary access product key 
which may be utilized to gain access to an encryp- 
ted product for a particular predefined trial interval. 
A data processing system may include a particular 

75 system bus 60 architecture, a particular memory 
controller 74, bus controller 76, interrupt controller 
78, keyboard mouse controller 80, DMA controller 
66, VGA video controller 82, parallel controller 84, 
serial controller 86, diskette controller 88, and disk 

20 controller 82. Additionally, a plurality of empty or 
occupied slots 106 may be used to identify the 
particular data processing system. Each particular 
data processing system may have attributes which 
may be derived from RAM 70, ROM 68, or CMOS 

25 RAM 72. End devices such as printer 96, monitor 
94, mouse 92, keyboard 90, diskette 100, or disk 
drive 104 may be utilized to derive one or more 
attributes of the data processing system which may 
be processed in a predetermined manner to derive 

30 a machine identification value. The derivation of the 
machine identification value will be described in 
greater detail below. The present invention is di- 
rected to an efficient method of distributing soft- 
ware programs to users which would provide to 

35 them a means to try the program before obtaining 
(by purchasing) a license for it. In accordance with 
this concept, complete programs are distributed to 
potential users on computer-accessible memory 
media such as diskettes or CD-ROMs. The concept 

40 is to generate keys that allow the user to access 
the programs from the distributed media. In this 
environment, a file management program provides 
a plurality of interfaces which allows the user to 
browse the different products. The interfaces allow 

45 ordering and unlocking of the software products 
contained on the distributed media. Unlocking of 
the software product is accomplished by the recep- 
tion, validation, and recording of a temporary ac- 
cess (decryption) key. 

50 The file management program is resident in 

the user-controlled data processing system and 
becomes a part of the operating system in the 
user's computer. An example of such a resident 
program (in the PC DOS environment) would be a 

55 resident program TSR, for "terminate and stay 
resident" operations, that intercepts and handles 
DOS file input and output operations. When a tem- 
porary access key is provided to a user, system 
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files are checked to see if this file has been used in 
a trial mode of operation before. If the product has 
never been used in a trial mode of operation, the 
temporary key is saved. Once the trial mode of 
operation key exists, an encrypted application can 
only be run if it is initiated by the file management 
program. The file management program will recog- 
nize that the application is encrypted and that a 
valid trial mode of operation key exists for the 
particularoperation. A valid trial mode of application 
key is one that has not expired. The trial mode of 
operation may be defined by either a timer, or a 
counter. A timer can be used to count down a 
particular predefined period (such as thirty days); 
alternatively, the counter can be used to decrement 
through a predefined number of trial "sessions" 
which are allowed during the trial mode of opera- 
tion. If the key is valid, the file management pro- 
gram communicates directly with the TSR and en- 
ables the trial mode of operation for a particular 
encrypted application. The file management pro- 
gram then kicks off the encrypted application. The 
code which is resident in the operating system of 
the user-controlled data processing system main- 
tains control over the operating system. It monitors 
the use of the trial mode of operation keys to allow 
files to be decrypted and loaded into memory, but 
prevents the encrypted files from being decrypted 
and copied to media. This is done by using the 
operating system to determine which applications 
are trying to access the data and only allowing the 
applications that have permission to access the 
data to do so. 

Figure 4 is a block diagram depiction of a 
routine for encrypting software objects. The binary 
characters which make up software object 201 are 
supplied as an input to encryption engine 205. Real 
key 203 is utilized as an encryption key in encryp- 
tion engine 205. The output of encryption engine 
205 is an encrypted software object 207. Encryp- 
tion engine 205 may be any conventional encryp- 
tion operation such as the published and well 
known DES algorithm; alternatively, the encryption 
engine 205 may be an exclusive-OR operation 
which randomizes software object 201. 

Figure 5 is a pictorial representation of the 
exchange of information between a source 209 (a 
software vendor) and a user 211 (a potential cus- 
tomer, in accordance with the teachings of the 
present invention. The arrows between source 209 
and user 211 represent exchanges of objects or 
information between vendor 209and 211. In the 
exchange of flow 203, computer-accessible mem- 
ory media is directed from source 209 to user 21 1 . 
This transfer may occur by US mail delivery, cou- 
rier delivery, express service delivery, or by deliv- 
ery through printed publications such as books and 
magazines. Alternatively, an electronic document 



may be transferred from source 209 to user 211 
utilizing electronic mail or other transmission tech- 
niques. In flow 215. user-specific information, pref- 
erably including a unique machine identification 
5 number which identifies the data processing sys- 
tem of user 211, is transferred from user 211 to 
source 209 via an insecure communication chan- 
nel; typically, this information is exchanged over 
the telephone, but may be passed utilizing elec- 

10 tronic mail or other communication techniques. In 
flow 217, source 209 provides a product key to 
user 211. The product key allows the product con- 
tained in the memory media to be temporarily 
accessed for a prescribed and predefined interval. 

75 This interval is considered to be a "trial" interval 
during which user 211 may become familiar with 
the software and make a determination on whether 
or not he or she wishes to purchase the software 
product. User 211 must communicate additionally 

20 with source 209 in order to obtain permanent ac- 
cess to the software product. The product key 
allows user 211 to obtain access to the software 
product for a particular predefined time interval, or 
for a particular number of predefined "sessions. 

25 "As time passes, the user's clock or counter runs 
down. At the termination of the trial period, further 
access is denied. Therefore, the user 211 must 
take affirmative steps to contact source 209 and 
purchase a permanent key which is communicated 

30 to user 21 1 and which permanently unlocks a prod- 
uct to allow unrestricted access to the software 
product. 

The communication between source 209 and 
user 211 is facilitated by a user interface. The 

35 creation of the interface is depicted in flowchart 
form in Figure 6. The process begins at software 
block 219, and continues at software block 221, 
wherein source 209 makes language and locale 
selections which will determine the language and 

40 currencies utilized in the interface which facilitates 
implementation of the trial period use of the soft- 
ware products. A plurality of software products may 
be bundled together and delivered to user 211 on a 
single computer-accessible memory media. There- 

45 fore, in accordance with software block 223, source 
209 must make a determination as to the programs 
which will be made available on a trial basis on the 
computer-accessible memory media, and the ap- 
propriate fields are completed, in accordance with 

50 software block 223. Next, in accordance with soft- 
ware block 225, the programs are functionally limit- 
ed or encrypted. Then, in accordance with software 
block 227, the shell is loaded along with the com- 
puter program products onto a computer-acces- 

55 sible memory media such as a diskette or CD 
ROM. The process ends at software block 229. 

Figure 7 is a flowchart representation of vendor 
and customer interaction in accordance with the 
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present invention. The flow begins at software 
block 231, and continues at step 233, wherein 
connputer-accessible mennory media are distributed 
to users for a try-and-buy trial interval. Then, in 
accordance with step 235, the file nnanagement 
progranr) is loaded from the computer-accessible 
memory media onto a user-controlled data pro- 
cessing system for execution. The file management 
program includes a plurality of interface screens 
which facilitate interaction between the vendor and 
the customer, which and which set forth the options 
available to the customer. Thus, in accordance with 
step 237, the file management program allows 
browsing and displays appropriate user interfaces. 
Next, in accordance with step 239, the customer 
and the vendor interact, typically over the tele- 
phone or electronic mail, to allow the vendor to 
gather information about the customer and to dis- 
tribute a temporary key which allows access to one 
or more software products which are contained on 
the computer-accessible memory media for a 
predefined trial interval. Typically, the interval will 
be defined by an internal clock, or by a counter 
which keeps track of the number of sessions the 
potential purchaser has with a particular software 
product or products. Step 241 represents the al- 
lowance of the trial interval use. Then, in accor- 
dance with software block 243, the file manage- 
ment program monitors and oversees all input and 
output calls in the data processing system to pre- 
vent unauthorized use of the encrypted software 
products contained on the computer-accessible 
memory media. In the preferred embodiment of the 
present invention, the file management program 
monitors for calls to encrypted files, and then de- 
termines whether access should be allowed or de- 
nied before the file is passed for further process- 
ing. The customer can assess the software product 
and determine whether he or she desires to pur- 
chase it. If a decision is made to purchase the 
product, the customer must interact once again 
with the vendor, and the vendor must deliver to the 
customer a permanent key, as is set forth in step 
245. The process ends when the customer re- 
ceives the permanent key, decrypts the one or 
more software products that he or she has pur- 
chased, and is then allowed ordinary and unrestric- 
ted access to the software products. 

Figures 8, 9, 10a, and 10b depict user interface 
screens which facilitate trial period operations in 
accordance with the present invention. Figure 8 
depicts an order form user interface 249 which is 
displayed when the customer selects a "view or- 
der" option from another window. The order form 
user interface 249 includes a title bar 251 which 
identifies the software vendor and provides a tele- 
phone number to facilitate interaction between the 
potential customer and the vendor. An order form 



field 255 is provided which identifies one or more 
software products which may be examined during 
a trial interval period of operation. A plurality of 
subfields are provided including quantity subfietd 
5 259, item subfield 257. description subfield 260, 
and price subfield 253. Delete button 261 allows 
the potential customer to delete items from the 
order form field. Subtotal field 263 provides a sub- 
total of the prices for the ordered software. Pay- 

70 ment method icons 265 identify the acceptable 
forms of payment. Of course, a potential user may 
utilize the telephone number to directly contact the 
vendor and purchase one or more software pro- 
ducts; alternatively, the user may select one or 

75 more software products for a trial period mode of 
operation, during which a softwareproduct is exam- 
ined to determine its adequacy. A plurality of func- 
tion icons 267 are provided at the lowermost por- 
tion of order form interface 249. These include a 

20 close icon, fax icon, mail icon, print icon, unlock 
icon, and help icon. The user may utilize a graphi- 
cal pointing device in a conventional point-and-c(ick 
operation to select one or more of these oper- 
ations. The fax icon facilitates interaction with the 

25 vendor utilizing a facsimile machine or facsimile 
board. The print icon allows the user to generate a 
paper archival copy of the interaction with the 
software vendor. 

The customer, the computer-accessible mem- 

30 ory media, and the computer system utilized by 
the customer are identified by media identification 
269, customer identification 273, and machine 
identification 271. The media identification is as- 
signed to the computer-accessible memory media 

35 prior to shipping to the potential customer. It is 
fixed, and cannot be altered. The customer iden- 
tification 273 is derived from interaction between 
the potential customer and the vendor. 

Preferably, the customer provides answers to 

40 selected questions in a telephone dialogue, and the 
vendor supplies a customer identification 273, 
which is unique to the particular customer. The 
machine identification 271 is automatically derived 
utilizing the file management program which is 

45 resident on the computer-accessible memory me- 
dia, and which is unique to the particular data 
processing system being utilized by the potential 
customer. The potential customer will provide the 
machine identification to the vendor, typically 

50 through telephone interaction, although fax inter- 
action and regular mail interaction is also possible. 

Figure 9 is a representation of an order form 
dialog interface 275. This interface facilitates the 
acquisition of information which uniquely identifies 

55 the potential customer, and includes name field 
277, address field 279. phone number field 281, 
facsimile number field 283, payment method field 
285. shipping method field 287, account number 
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field 289, expiration date field 291, value added tax 
ID field 293. Order information dialog interface 275 
further includes print button 295 and cancel button 
297 which allow the potential user to delete in- 
fornnation from these fields, or to print a paper 
copy of the interface screen. 

Figures 10a and 10b depict unlock dialog inter- 
face screens 301, 303. The user utilizes a graphical 
pointing device to select one or more items which 
are identified by the content item number field 307 
and description field 309 which are components of 
unlock list 305. The interface further includes cus- 
tomer ID field 313 and machine ID field 315. Pref- 
erably, the vendor provides the customer identifica- 
tion to the customer in an interaction via phone, 
fax, or mail. Preferably, the customer provides to 
the vendor the machine identification within ma- 
chine identification field 315 during interaction via 
phone, fax. or mail. Once the information is ex- 
changed, along with an identification of the pro- 
ducts which are requested for a trial interval period 
of operation, a temporary access key is provided 
which is located within key field 311. The key will 
serve to temporarily unlock the products identified 
and selected by the customer. Close button 319, 
save button 317, and help button 321 are also 
provided in this interface screen to facilitate user 
interaction. Figure 10b depicts a single-product un- 
lock interface screen 303. This interface screen 
includes only machine identification field 315, cus- 
tomer identification field 315, and key field 311. 
The product which Is being unlocked need not be 
identified in this interface, since the dialog pertains 
only to a single product, and it Is assumed that the 
user knows the product for which a temporary trial 
period of operation is being requested. Save button 
317, cancel button 319, and help button 321 are 
also provided in this interface to facilitate operator 
interaction. 

Figure 1 1 depicts a user interface screen which 
is utilized in unlocking the one or more encrypted 
products for the commencement of a trial interval 
mode of operation. The starting date dialog of 
Figure 11 is displayed after the "SAVE" push but- 
ton is selected in the unlock dialog of either Figure 
10a or Figure 10b. The user will be prompted to 
verify the correct starting date which is provided in 
date field 310. The user responds to the query by 
pointing and clicking to either the "continue" button 
312, the "cancel" button 314, or the "help" button 
316. The date displayed in field 310 is derived 
from the system clock of the user-controlled data 
processing system. The user may have to modify 
the system clock to make the date correspond to 
the official or stated date of commencement of the 
trial period of operation. 

A trial Interval operation can take two forms:one 
form is a functionally disabled product that allows a 
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user to try all the features, but may not allow a 
critical function like printing or saving of data files. 
Another type of trial interval is a fully functional 
product that may be used for a limited time. This 
5 requires access protection, and allows a customer 
to try all the functions of a product for free or for a 
nominal fee. Typically, in accordance with the 
present invention, access to the product is con- 
trolled through a "timed" key. The trial period for 

10 using the product is a fixed duration determined by 
the vendor. The trial period begins when the key is 
issued. In accordance with the present invention, 
the products being previewed during the trial inter- 
val of operation can only be run from within a 

15 customer shell. A decryption driver will not allow 
the encrypted products to be copied in the clear, 
nor will it allow the product to be run outside the 
customer's shell. In an alternative embodiment, the 
trial interval is defined by a counter which is incre- 

20 mented or decremented with each "session" the 
customer has with the product. This may allow the 
customer a predefined number of uses of the prod- 
uct before decryption Is no longer allowed with the 
temporary key. 

25 The limits of the temporary access key are 

built into a "control vector" of the key. Typically, a 
control vector will include a short description of the 
key, a machine identification number, and a for- 
matted text string that includes the trial interval 

30 data (such as a clock value or a counter value). 
The control vector cannot be altered without break- 
ing the key. When a protected software product is 
run. the usage data must be updated to enforce the 
limits of the trial interval period of operation. In 

35 order to protect the clock or counter from tamper- 
ing, its value is recorded in a multiple number of 
locations, typically in encrypted files. In the pre- 
ferred embodiment of the present invention, the 
trial interval information (clock value and/or counter 

40 value) is copied to a "key file" which will be 
described in further detail herebelow. to a machine 
identification file, which will also be discussed 
herebelow, and to a system file. When access to 
an encrypted program is requested, all of these 

45 locations are checked to determine if the value for 
the clock and/or counter is the same. It is unlikely 
that an average user has the sophistication to tam- 
per successfully with all three files. In the preferred 
embodiment, a combination of a clock and a coun- 

50 ter is utilized to prevent extended use of backup 
and restore operations to reset the system clock. 
Although it is possible to reset a PC's clock each 
time a trial use is requested, this can also be 
detected by tracking the date/time stamps of cer- 

65 tain files on the system and using the most recent 
date between file date/time stamps and the system 
clock. As stated above, one of the three locations 
the timer and/or counter information is stored is a 

10 
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system file. When operating in an OS/2 operating 
systenn, the time and usage data can be stored in 
the system data files, such as the 0S2. INI in the 
OS/2 operating system. The user will have to con- 
tinuously backup and restore these files to reset 
the trial and usage data. These files contain other 
data that is significant to the operation of the user 
system. The casual user can accidentally lose im- 
portant data for other applications by restoring 
these files to an older version. In the present inven- 
tion, these protection techniques greatly hinder a 
dishonest user's attempts to extend the trial interval 
use beyond the authorized interval. 

In broad overview, in the present invention, the 
vendor loads a plurality of encrypted software pro- 
ducts onto a computer-accessible memory media, 
such as a CD ROM or magnetic media diskette. 
Also loaded onto the computer-accessible memory 
media is a file management program which per- 
forms a plurality of functions, including the function 
of providing a plurality of user interface screens 
which facilitate interaction between the software 
vendor and the software customer. The computer- 
accessible memory media is loaded onto a user- 
controlled data processing system, and the file 
management program is loaded for execution. The 
file management program provides a plurality of 
user-interface screens to the software customer 
which gathers information about the customer 
(name, address, telephone number, and billing in- 
formation) and receives the customer selections of 
the software products for which a trial interval is 
desired. Information is exchanged between the 
software vendor card customer, including: a cus- 
tomer identification number, a product identification 
number, a media identification number, and a ma- 
chine identification number. The vendor generates 
the customer identification number in accordance 
with its own internal record keeping. Preferably, the 
representative of the software vendor gathers in- 
formation from the software customer and types 
this information into a established blank form in 
order to identify the potential software customer. 
Alternatively, the software vendor may receive a 
facsimile or mail transmission of the completed 
order information dialog interface screen 275 (of 
Figure 9). The distributed memory media (such as 
CDs and diskettes) also include a file management 
program which is used to generate a unique ma- 
chine identification based at least in part upon one 
attribute of the user-controlled data processing sys- 
tem. This machine identification is preferably a 
random eight-bit number which is created during a 
one-time setup process. Preferably, eight random 
bits are generated from a basic random number 
generator using the system time as the "seed" for 
the random number generator. Preferably, check 
bits are added in the final result. Those check bits 
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are critical to the order system because persons 
taking orders must key in the machine ID that the 
customer reads over the phone. The check bits 
allow for instant verification of the machine ID with- 
5 out requiring the customer to repeat the number. 
Preferably, a master file is maintained on the user- 
controlled data processing system which contains 
the clear text of the machine identification and an 
encrypted version of the machine identification. 

10 When the software customer places an order 

for a temporary trial use of the software products, 
he or she verbally gives to the telephone repre- 
sentative of the software vendor the machine iden- 
tification. In return, the telephone representative 

75 gives the software customer a product key which 
serves as a temporary access key to the encrypted 
software products on the computer-accessible 
memory media, as well as a customer identification 
number. Preferably, the product key is a function of 

20 the machine identification, the customer number, 
the real encryption key for the programs or pro- 
grams ordered, and a block of control data. The 
software customer may verify the product key by 
combining it with the customer number, and an 

25 identical block of control data to produce the real 
encryption key. This key is then used to decrypt an 
encrypted validation segment, to allow a compare 
operation. If the encrypted validation segment is 
identical to known clear text for the validation seg- 

30 ment, then the user's file management program 
has determined that the product key is a good 
product key and can be utilized for temporary 
access to the software products. Therefore, if the 
compare matches, the key is stored on the user- 

35 controlled data processing system in a key file. 
Preferably, the key file contains the product key. a 
customer key (which is generated from the cus- 
tomer number and an internal key generating key) 
and a clear ASCII string containing the machine 

40 identification. All three items must remain un- 
changed in order for the decryption tool to derive 
the real encryption key. To further tie the key file to 
this particular user-controlled data processing sys- 
tem, the same key file is encrypted with a key that 

45 is derived from system parameters. These system 
parameters may be derived from the configuration 
of the data processing system. 

Stated broadly, in the present invention the 
temporary key (which is given verbally over the 

50 phone, typically) is created from an algorithm that 
utilizes encryption to combine the real key with a 
customer number, the machine identification num- 
ber, and other predefined clear text. Thus, the key 
is only effective for a single machine; even if the 

55 key were to be given to another person, it would 
not unlock the program on that other person's 
machine. This allows the software vendor to market 
software programs by distributing complete pro- 
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grams on computer-accessible memory media 
such as diskettes or CD ROMs, without significant 
risk of the loss of licensing revenue. 

Some of the preferred unique attributes of the 
system which may be utilized for encryption oper- 
ations include the hard disk serial number, the size 
and format of the hard disk, the system model 
number, the hardware interface cards, the hardware 
serial number, and other configuration parameters. 

The result of this technique is that a machine 
identification file can only be decrypted on a sys- 
tem which is an identical clone of the user-con- 
trolled data processing system. This is very difficult 
to obtain, since most data processing systems 
have different configurations, and the configurations 
can only be matched through considerable effort. 
These features will be described in detail in the 
following written description. 

Turning now to Figure 12, the file management 
program receives the distributed computer-acces- 
sible memory media with encrypted software pro- 
ducts and a file management program contained 
therein. The file management program assesses 
the configuration of the user-controlled data pro- 
cessing system, as represented in step 351 of 
Figure 12. The user-specific attributes of the data 
processing system are derived in step 353, and 
provided as an input to machine identification gen- 
erator 355, which is preferably a random number 
generator which receives a plurality of binary char- 
acters as an input, and generates a pseudo-random 
output which is representative of machine iden- 
tification 357. The process employed by machine 
identification generator 355 is any conventional 
pseudo-random number generator which receives 
as an input of binary characters, and produces as 
an output a plurality of pseudo-random binary char- 
acters, in accordance with a predefined algorithm. 

With reference now to Figure 13, machine 
identification 357 is also maintained within the file 
management program in an encrypted form. Ma- 
chine identification 357 is supplied as an input to 
encryption engine 359 to produce as an output the 
encrypted machine identification 361. Encryption 
engine 359 may comprise any convention encryp- 
tion routine, such as the DES algorithm. A key 363 
is provided also as an input to encryption engine 
359, and impacts the encryption operation in a 
conventional manner. Key 363 is derived from sys- 
tem attribute selector 365. The types of system 
attributes which are candidates for selection in- 
clude system attribute listing 367 which includes: 
the hard disk serial number, the size of the hard 
disk, the format of the hard disk, the system model 
number, the hardware interface card, the hardware 
serial number, or other configuration parameters. 

In accordance with the present invention, the 
clear text machine identification 357 and the en- 



crypted machine identification 361 are maintained 
in memory. Also, in accordance with the present 
invention, the file management program automati- 
cally posts the clear text machine identification 357 
5 to the appropriate user interface screens. The user 
then communicates the machine identification to 
the software vendor where it is utilized in accor- 
dance with the block diagram of Figure 14. As is 
shown, product key encryption engine 375 is main- 

10 tained within the control of the software vendor. 
This product key encryption engine 375 receives 
as an input: the machine identification 357, a cus- 
tomer number 369 (which is assigned to the cus- 
tomer in accordance with the internal record keep- 

75 ing of this software vendor), the real encryption key 
371 (which is utilized to decrypt the software pro- 
ducts maintained on the computer-accessible 
memory media within the custody of the software 
customer), a control block text 373 (which can be 

20 any predefined textural portion), and trial interval 
data 374 (such as clock and/or counter value which 
defines the trial interval of use). Product key en- 
cryption engine produces as an output a product 
key 377. Product key 377 may be communicated 

25 to the software customer via an insecure commu- 
nication channel, without risk of revealing real key 
371. Real key 371 is masked by the encryption 
operation, and since the product key 377 can only 
be utilized on a data processing system having a 

30 configuration identical to that from which machine 
identification 357 has been derived, access to the 
encrypted software product is maintained in a se- 
cure condition. 

Upon delivery of product key 377, the file man- 

36 agement program resident in the user-controlled 
data processing system utilizes real key generator 
379 to receive a plurality of inputs, including prod- 
uct key 377, customer number 369, control block 
text 373, machine identification 357 and trial inter- 

40 val data 374. Real key generator 379 produces as 
an output the derived real key 381 . 

Encryption and decryption algorithm utilized to 
perform the operations of the product key encryp- 
tion engine 375 and the real key generator 379 (of 

45 Figures 14 and 15) is described and claimed in co- 
pending U. S. Patent Application Serial No. 
07/964,324, filed October 21. 1992, entitled "Meth- 
od and System for Multimedia Access Control En- 
ablement", which is incorporated herein as if fully 

50 set forth. 

Next, as is depicted in Figures 16 and 17, the 
derived real key 381 is tested to determine the 
validity and authenticity of the product key 377 
which has been provided by the software vendor. 

55 As is shown, the derived real key 381 is supplied 
as an input to encryption engine 385. A predeter- 
mined encrypted validation data segment 383 is 
supplied as the other input to encryption engine 
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385. Encryption engine supplies as an output de- 
rived clear validation text 387. Then, in accordance 
with Figure 17, the derived clear validation text 387 
is compared to the known clear validation text 391 
In comparator 389. Comparator 389 simply per- 
forms a bit-by-bit comparison of the derived clear 
validation text 387 with the known clear validation 
text 391. If the derived clear validation text 387 
matches the known clear validation text 391 , a key 
file is created in accordance with step 393; how- 
ever, If the derived clear validation text 387 does 
not match the known clear validation text 391. a 
warning is posted to the user-controlled data pro- 
cessing system in accordance with step 395. 

Turning now to Figure 18, key file 397 is de- 
picted as including the temporary product key, the 
customer key (which Is an encrypted version of the 
customer number), the machine identification num- 
ber in clear text and the trial interval data (such as 
a clock and/or counter value) . This key file is 
supplied as an input to encryption engine 399. Key 
401 is also provided as an input to encryption 
engine 399. Key 401 is derived from unique sys- 
tem attributes 403, such as those system attributes 
utilized in deriving the machine identification num- 
ber. Encryption engine 399 provides as an output 
the encrypted key file 405. 

Figures 19, 20, 21, 22, and 23 depict oper- 
ations of the file management program after a 
temporary access key has been received, and vali- 
dated, and recorded in key file 397 (of Figure 18). 

Figure 19 is a block diagram representation of 
the steps which are performed when an encrypted 
software product is called for processing by the 
user-control data processing system. The encryp- 
ted file 405 Is fetched, and a "header" portion 407 
is read by the user-controlled data processing sys- 
tem. The header has a number of components 
including the location of the key file. The location 
of the key file is utilized to fetch the key file in 
accordance with step 409. The header further in- 
cludes an encrypted validation text 411. The en- 
crypted validation text 41 1 Is also read by the user- 
controlled data processing system. As is stated 
above (and depicted In Figure 18) the key file 
includes the product key 419. a customer key 417, 
and the machine Identification 415. These are ap- 
plied as Inputs to decryption engine 413. Decryp- 
tion engine 413 provides as an output real key 421. 
Before real key 421 is utilized to decrypt encrypted 
software products on the distributed memory me- 
dia, It Is tested to determine Its validity. Figure 21 
is a block diagram of the validation testing. Encryp- 
ted validation text 423, which is contained in the 
"header", Is provided as an Input to decryption 
engine 425. Real key 421 (which was derived In 
the operation of Figure 20) is also supplied as an 
input to decryption engine 425. Decryption engine 



425 provides as an output clear validation text 427. 
As is set forth in block diagram form In Figure 22, 
clear validation text 427 is supplied as an input to 
comparator 429. The known clear validation text 
5 431 is also supplied as an input to comparator 429. 
Comparator 429 determines whether the derived 
clear validation text 427 matches the known clear 
validation text 431. If the texts match, the software 
object is decrypted in accordance with step 433; 
10 however, if the validation text portions do not 
match, a warning is post in accordance with step 
435. Figure 23 Is a block diagram depiction of the 
decryption operation of step 433 of Figure 22. The 
encrypted software object 437 is applied as an 

15 input to decryption engine 439. The validated real 
key 441 is also supplied as an Input to decryption 
engine 439. Decryption engine 439 supplies as an 
output the decrypted software object 443. 

The encryption header is provided to allow for 

20 the determination of whether or not a file is encryp- 
ted when that file is stored with clear-text files. In 
providing the encryption header for the encrypted 
file. It is important that the file size not be altered 
because the size may be checked as part of a 

25 validation step (unrelated In any way to the concept 
of the present invention) during installation. There- 
fore, making the file larger than it Is suppose to be 
can create operational difficulties during installation 
of the software. The encryption header is further 

30 necessary since the file names associated with the 
encrypted software products cannot be modified to 
reflect the fact that the file is encrypted, because 
the other software applications that may be acces- 
sing the encrypted product will be accessing those 

35 files utilizing the original file names. Thus, altering 
the file name to indicate that the file is encrypted 
would prevent beneficial and desired communica- 
tion between the encrypted software product and 
other, perhaps related, software products. For ex- 

40 ample, spreadsheet applications can usually port 
portions of the spreadsheet to a related word pro- 
cessing program to allow the Integration of financial 
information into printed documents. Changing the 
hard-coded original file name for the word process- 
es ing program would prevent the beneficial commu- 
nication between these software products. The en- 
cryption header of the present Invention resolves 
these problems by maintaining the encrypted file at 
its nominal file length, and by maintaining the file 

50 name for the software product In an unmodified 
form. 

Figure 24 graphically depicts an encrypted file 
with encryption header 451. The encryption header 
451 Includes a plurality of code segments, includ- 
55 Ing: unique identifier portion 453, the name of the 
key file portion 455, encrypted validation segment 
457, encryption type 459. offset to side file 461. 
and encrypted file data 463. Of course, in this view, 
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the encrypted file data 463 is representative of tine 
encrypted software product, such as a word pro- 
cessing progrann or spreadsheet. The encryption 
header 451 is provided In place of encrypted data 
which ordinarily would connprise part of the encryp- 
ted software product. The encryption header is 
substituted in the place of the first portion of the 
encrypted software product. In order to place the 
encryption header 451 at the front of the encrypted 
software product of encrypted file data 463, a por- 
tion of the encrypted file data must be copied to 
another location. Offset to side file 461 identifies 
that side file location where the displaced file data 
is contained. 

Figure 25 graphically depicts the relationship 
between the directory of encrypted files and the 
side files. As is shown, the directory of encrypted 
files 465 includes file aaa, file bbb, file ccc, file 
ddd, through file nnn. Each of these files is repre- 
sentative of a directory name for a particular en- 
crypted software product. Each encrypted software 
product has associated with it a side file which 
contains the front portion of the file which has been 
displaced to accommodate encryption header 451 
without altering the size of the file, and without 
altering the file name. File aaa has associated with 
it a side file AAA. Software product file bbb has 
associated with it a side file BBB. Encrypted soft- 
ware product ccc has associated with it a side file 
CCC. Encrypted software product ddd has asso- 
ciated with it a side file DDD. Encrypted software 
product nnn has associated with it a side file NNN. 
In Figure 25, directory names 467, 469, 471, 473, 
475 are depicted as being associated with side 
files 477, 479. 481, 483. and 485. The purpose of 
the side files is to allow each of the encrypted 
software products to be tagged with an encryption 
header without changing the file size. 

Encryption type segment 459 of the encryption 
header 451 identifies the type of encryption utilized 
to encrypt the encrypted software product. Any one 
of a number of conventional encryption techniques 
can be utilized to encrypt the product, and different 
encryption types can be utilized to encrypt different 
software products contained on the same memory 
media. Encryption type segment 459 ensures that 
the appropriate encryption/decryption routine is 
called so that the encrypted software product may 
be decrypted, provided the temporary access keys 
are valid and not expired. The name of key file 
segment 455 of encryption header 451 provides an 
address (typically a disk drive location) of the key 
file. As is stated above (in connection with Figure 
18) the key file includes the product key. a cus- 
tomer key, and the clear machine ID. All three of 
these pieces of information are required in order to 
generate the real key (in accordance with Figure 
20). Encrypted validation segment 457 includes the 
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encrypted validation text which is utilized in the 
routine depicted in Figure 21 which generates a 
derived clear validation text which may be com- 
pared utilizing the routine of Figure 22 to the 

5 known clear validation text. Only if the derived 
clear validation text exactly matches the known 
clear validation text can the process continue by 
utilizing the derived and validated real key to de- 
crypt the encrypted software product in accordance 

10 with the routine of Figure 23. However, prior to 
performing the decryption operations of Figure 23, 
the contents of the corresponding side file must be 
substituted back into the encrypted software prod- 
uct in lieu of encryption header 451 . This ensures 

76 that the encrypted software product is complete 
prior to the commencement of decryption oper- 
ations. 

Each time a file is called for processing by the 
operating system of the user-controlled data pro- 

20 cessing system, the file management program 
which is resident in the operating system intercepts 
the input/output requests and examines the front 
portion of the file to determine if a decryption block 
identifier, such as unique identifier 453. exists at a 

25 particular known location. For best performance, as 
is depicted in Figure 24, this location will generally 
be at the beginning of the file. If the file manage- 
ment program determines that the file has the 
decryption block, the TSR will read the block into 

30 memory. The block is then parsed in order to build 
a fully qualified key file name by copying an envi- 
ronment variable that specifies the drive and direc- 
tory containing the key files and concatenating the 
key file name from the encryption block. The TSR 

36 then attempts to open the key file. If the key file 
does not exist, the TSR returns an "access denied" 
response to the application which is attempting to 
open the encrypted file. If the key file is deter- 
mined to exist, the TSR opens the key file and 

40 reads in the keys (the product key. the customer 
key, and the machine identification) and generates 
the real key. This real key is in use to decrypt the 
decryption block validation data. As is stated 
above, a comparison operation determines whether 

45 this decryption operation was successful. If the 
compare fails, the key file is determined to be 
"invalid", and the TSR returns an "access denied 
message" to the application which is attempting to 
open the encrypted software product. However, if 

60 the compare is successful, the file management 
program prepares to decrypt the file according to 
the encryption type found in the encryption header. 
The TSR then returns a valid file handle to the 
calling application to indicate that the file has been 

66 opened. When the application reads data from the 
encrypted file, the TSR reads and decrypts this 
data before passing it back to the application. If the 
data requested is part of the displaced data that is 
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stored in the side file, the TSR will read the side 
file and return the appropriate decrypted block to 
the calling application without the calling applica- 
tion being aware that the data canne fronn a sepa- 
rate file. 

While the broad concepts of the encryption 
header are depicted in Figures 24 and 25. the 
more particular aspects of creating the encrypted 
files are depicted in Figures 26, 27, and 28. Fig- 
ures 27 and 28 depict two types of data files. 
Figure 27 depicts a non-executing data file, while 
Figure 28 depicts an executing data file. Figure 26 
depicts a header 499 which includes signature seg- 
ment 501, header LEN 503, side file index 505. 
side file LEN 507, decryption type identifier 509, 
verification data 511, and key file name 518. As is 
shown in Figure 27, a software product begins as a 
clear file 521. and is encrypted in accordance with 
a particular encryption routine into encrypted file 
523. Encryption type segment 509 of header 499 
identifies the type of encryption utilized to change 
clear file 521 to encrypted file 523. Next, the front 
portion of encrypted file 523 is copied to side file 
527 which is identified by side file index 505 and 
side file LEN 507 of header 499. Additionally, a 
copy of the clear text of the verification data is also 
included in side file 527. Then, header 499 is 
copied to the front portion of encrypted file 523 to 
form modified encrypted files 525. A similar pro- 
cess is employed for executing files, as depicted in 
Figure 28. The clear text copy of the software 
product (represented as clear file 531) is encrypted 
in accordance with a conventional routine, to form 
encrypted file 533. The front portion of encrypted 
file 533 is copied to side file 539 so that the 
overlaid data of encrypted file 533 is preserved. 
Furthermore, side file 539 includes a copy of the 
clear text of the verification data. Then, the encryp- 
ted file 533 is modified by overlaying and execut- 
able stub 537 and header 599 onto the first portion 
of encrypted file 553. 

The purpose of executable stub 537 of Figure 
28 will now be described. The DOS operating sys- 
tem for a personal computer will try to execute an 
encrypted application. This can result in a system 
"hang" or unfavorable action. The executable stub 
357 of the executing file of Figure 28 is utilized to 
protect the user from attempting to execute ap- 
plications that are encrypted: there would be con- 
siderable risk that a user would hang his system or 
format a drive if he or she try to run an encrypted 
file. The executable stub is attached to the front 
portion of the encrypted software product so that 
this stub is executed whenever the application is 
run without the installed TSR or run from a drive 
the TSR is not "watching". This stub will post a 
message to the user that explains why the applica- 
tion cannot run. In addition to providing a message, 



this executable stub can be used to perform so- 
phisticated actions, such as: 

(1) it can duplicate the functionality of the TSR 
and install dynamic encryption before kicking off 

5 the application a second time; 

(2) it can turn on a temporary access key and 
kick off the application a second time; 

(3) it can communicate with the TSR and inform 
it to look at the drive the application is being run 

10 from. 

The executable stub is saved or copied into the 
encrypted program as follows: 

(1) the application is encrypted; 

(2) a decryption block is created for this pro- 
75 gram; 

(3) a pre-built executable stub is attached to the 
front end of the decryption block; 

(4) the length of the combined decryption head- 
er and executable stub is determined; 

20 (5) the bytes at the front of the executable file 
equal to this length are then read into memory, 
preferably into a predefined side file location; 
and 

(6) the encryption header and executable stub 

25 are then written over the leading bytes in the 
executable code. 
The TSR can determine if an executable is 
encrypted by searching beyond the "known size" 
of the executable stub for the decryption block 

30 portion. When the TSR decrypts the executable 
stub it accesses the side file to read in the bytes 
that were displaced by the stub and header block. 

Figure 29 provides a flowchart representation 
of operation during a trial period interval, which 

35 begins at software block 601. In accordance with 
software block 603. the file management program 
located in the operating system of the user-con- 
trolled data processing system continually monitors 
for input/output calls to the memory media. Then, 

40 in accordance with software block 605, for each 
input/output call, the called file is intercepted, and 
in accordance with software block 607 the operat- 
ing system is denied access to the called file, until 
the file management program can determine 

45 whether access should be allowed or not. A portion 
of the called file is read where the decryption block 
should be located. This portion of the called file is 
then read, in accordance with software block 609. 
to derive a key file address in accordance with 

50 software block 611. The address which is derived 
is utilized to fetch the key file, in accordance with 
software block 613. In accordance with decision 
block 615, if the key file cannot be located, the 
process ends at software block 617; however, if it 

55 is determined in decision block 615 that the key 
file can be located, the key is derived in accor- 
dance with software block 619. The derived key is 
then utilized to decrypt the validation segment 

15 
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which is located within the encryption header, in 
accordance with software block 621. In decision 
block 623, the decryption validation segnnent is 
conDpared to the clear text for the decryption vali- 
dation segment; if it is deternnined that the decryp- 
ted segment does not match the known clear text 
segment, the process continues at software block 
625 by ending; however, if it is determined in 
decision block 623 that the decrypted validation 
segment does match the known clear text valida- 
tion segment, the process continues as software 
block 627, wherein access to the called file is 
allowed. Then, the decryption type is read from the 
decryption header in accordance with software 
block 629, and the called file is dynamically de- 
crypted In accordance with software block 631 as it 
is passed for processing by the operating system 
of the user-controlled data processing system, in 
accordance with software block 633. The process 
terminates at software block 635. 

If unauthorized execution of an encrypted file is 
attempted, the executable stub will at least tem- 
porarily deny access and post a message to the 
system, but may handle the problem in a number 
of sophisticated ways which were enumerated 
above. 

In accordance with the preferred embodiment 
of the present invention, during the trial interval, or 
at the conclusion of the trial interval, the prospec- 
tive purchaser may contact the vendor to make 
arrangements for the purchase of a copy of the one 
or more software products on the computer-acces- 
sible memory media. Preferably, CD ROMs or flop- 
py disks have been utilized to ship the product to 
the potential user. Preferably, the computer-acces- 
sible memory media includes the two encrypted 
copies of each of the products which are offered 
for a trial interval of use. One encrypted copy may 
be decrypted utilizing the file management pro- 
gram and the temporary key which is commu- 
nicated from the vendor to the purchaser. The 
other encrypted copy is not provided for use in the 
trial interval mode of operation, but instead is pro- 
vided as the permanent copy which may be de- 
crypted and utilized once the software product has 
been purchased. In broad overview, the user se- 
lects a software product for a trial interval mode of 
operation, and obtains from the vendor temporary 
access keys, which allow the user access to the 
product (through the file management program) for 
a predefined trial interval. Before or after the con- 
clusion of the trial interval, the user may purchase 
a permanent copy of the software product from the 
vendor by contacting the vendor by facsimile, elec- 
tronic mail, or telephone. Once payment is re- 
ceived, the vendor communicates to the user a 
permanent access key which is utilized to decrypt 
the second encrypted copy of the software prod- 
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uct. This encrypted product may be encrypted 
utilizing any conventional encryption routine, such 
as the DES algorithm. The permanent key allows 
the software product to be decrypted for unrestric- 

5 ted use. Since multiple copies of the product may 
be purchased in one transaction, the present inven- 
tion is equipped with a technique for providing 
movable access keys, which will be discussed be- 
low in connection with Figures 30 through 35. In 

10 the preferred embodiment of the present invention, 
the encryption algorithm employed to encrypt and 
decrypt the second copy of the software product is 
similar to that employed in the trial interval mode of 
operation. 

15 The present invention includes an export/import 

function which allows for the distribution of perma- 
nent access keys, after the conclusion of a trial 
interval period. Typically, an office administrator or 
data processing system manager will purchase a 

20 selected number of "copies" of the encrypted 
product after termination of a trial interval period. 
Certain individuals within the organization will then 
be issued permanent keys which allow for the 
unrestricted and permanent access to the encryp- 

25 ted product. In an office or work environment where 
the computing devices are not connected in a 
distributed data processing network, the permanent 
access keys must be communicated from the of- 
fice administrator or data processing manager to 

30 the selected individuals within an organization who 
are going to receive copies of the encrypted soft- 
ware product. The permanent keys allow for per- 
manent access to the product. Since not all em- 
ployees within an organization may be issued 

35 copies of the particular encrypted product, the ven- 
dor would like to have the distribution occur in a 
manner which minimizes or prevents the distribu- 
tion beyond the sales agreement or license agree- 
ment. Since the products are encrypted, they may 

40 be liberally distributed in their encrypted form. It is 
the keys which allow unrestricted access to the 
product which are to be protected in the current 
invention. To prevent the distribution of keys on 
electronic mail or printed communications, the 

45 present invention includes an export program which 
is resident In a source computer and an import 
program which is resident in a target computer 
which allow for the distribution of the access keys 
via a removable memory media, such as a floppy 

50 diskette. This ensures that the access keys are not 
subject to inadvertent or accidental distribution or 
disclosure. There are two principal embodiments 
which accomplish this goal. 

In the first embodiment, one or more encrypted 

55 files which are maintained in the source computer 
are first decrypted, and then encrypted utilizing an 
encryption algorithm and an encryption key which 
is unique to the transportable memory media (such 
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as a diskette serial number). The key file may then 
be physically carried via the diskette to a target 
computer, where it is decrypted utilizing a key 
which is derived by the target computer from inter- 
action with the transferable memory media. Imme- 
diately, the key file or files are then encrypted 
utilizing an encryption operation which is keyed 
with a key which is derived from a unique system 
attribute of the target computer. In the alternative 
embodiment, the transferrable memory media is 
loaded onto the target computer to obtain from the 
target computer import file a transfer key which is 
uniquely associated with the target computer, and 
which may be derived from one or more unique 
system attributes of the target computer. The 
memory media is then transferred to the source 
computer, where the one or more key files are 
decrypted, and then encrypted utilizing the transfer 
key. The memory media is then carried to the 
target computer where the transfer key is gen- 
erated and utilized in a decryption operation to 
decrypt the one or more key files. Preferably, im- 
mediately the key files are encrypted utilizing an 
encryption operation which is keyed with a key 
which is uniquely associated with the target com- 
puter, and which may be derived from one or more 
unique computer configuration attributes. The first 
embodiment is discussed herein in connection with 
Figures 30, 31, 32, and 33. The second embodi- 
ment is discussed in connection with Figures 34 
and 35. 

Figures 30 and 31 depict in block diagram 
form export and import operations which allow an 
authorized user to move his permanent key to 
another data processing system using an "export" 
facility that produces a unique diskette image of 
the access key that has been enabled for import 
Into another system. In accordance with the 
present invention, the access keys which are deliv- 
ered over the telephone by the software vendor to 
the customer are less than 40 bytes in length. The 
key file that is produced is over 2,000 bytes in 
length. An export facility is provided for copying 
the key file and the machine identification file to a 
diskette. Both files are then encrypted with a modi- 
fied diskette serial number to inhibit these files 
from being copied to a public forum where anyone 
could use them. An import facility provided in an- 
other system decrypts these files and adds the 
product key and machine identification from the 
diskette to a list of import product keys and ma- 
chine identifications in the import systems master 
file, and copies the key file to the import system 
hard disk. The key file is encrypted on the import 
system as is disclosed above. 

Figure 30 is a block diagram depiction of an 
export operation in accordance with the preferred 
embodiment of the present invention. As is shown. 
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source computer 651 includes a key file 653 and a 
machine identification file 655. Key file 653 in- 
cludes the product key, the customer key, the clear 
text of the machine identification for source com- 
5 puter 653, trial interval data (such as a clock and/or 
counter which define the trial interval period), and 
an export counter which performs the dual func- 
tions of defining the maximum number of export 
operations allowed for the particular protected soft- 

10 ware products and keeping track of the total num- 
ber of export operations which have been accom- 
plished. The machine identification file includes the 
machine identification number and trial interval data 
(such as a clock and/or counter which defines the 

75 trial interval period). Both key file 653 and machine 
identification file 655 are encrypted with any con- 
ventional encryption operation (such as the DES 
algorithm), which is keyed with a key which is 
derived from a unique system attribute of source 

20 computer 651 . At the commencement of an export 
operation, key file 653 and machine identification 
file 655 are decrypted. Key file 653 is supplied as 
an input to decryption operation 657 which is 
keyed with key 659. Likewise, machine identifica- 

25 tion file 655 is supplied as an input to decryption 
operation 663 which is keyed with key 661. De- 
cryption operations 657, 663 generate a clear text 
version of key file 653 and machine identification 
file 655. Once the clear text is obtained, the export 

30 counter which is contained within key file 653 is 
modified in accordance with block 661. For exam- 
ple, if this is the seventh permitted export operation 
out of ten permissible operations, the counter might 
read "7:10". The clear text version of key file 653 

35 is supplied as an input to encryption operation 669. 
Encryption operation 669 may be any conventional 
encryption operation (such as the DES algorithm), 
which is keyed with a memory media attribute 665 
which is unique to a memory media which is coup- 

40 led to source computer 651, which has been sub- 
jected to modification of modifier 667. For example, 
a unique diskette serial number may be supplied 
as the "memory media attribute" which is unique 
to memory media 677. The diskette serial number 

45 is modified in accordance with modifier 667 to alter 
it slightly, and supply it as an input to encryption 
operations 669. The same operation is performed 
for the clear text of machine identification file 655. 
A unique memory media attribute 671 is modified 

50 by modifier 673 and utilized as a key for encryption 
operation 675, which may comprise any conven- 
tional encryption operation, such as the DES opera- 
tion. Finally, the output of encryption operations 
669 and 675 are supplied as inputs to copy oper- 

55 ations 679, 681 which copy the encrypted key file 
653 and machine identification file 655 to memory 
media 677. 
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Figure 31 is a block diagram depiction of an 
innport operation. Mennory nnedia 677 (of Figure 30) 
is pliysically removed from source computer 651 
(of Figure 30) and physically carried over to com- 
puter 707 (of Figure 31); alternatively, in a distrib- 
uted data processing system, this transfer may 
occur without the physical removal of memory me- 
dia 677. With reference now to Figure 31, in accor- 
dance with block 683, the machine identification of 
the target machine is copied to memory media 677 
to maintain a record of which particular target com- 
puter received the key file and machine identifica- 
tion file. Then, in accordance with blocks 685, 693 
the encrypted key file 653 and machine identifica- 
tion file 655 are copied from the memory media to 
target computer 707. The encrypted key file 653 is 
supplied as an input to decryption operation 689 
which is keyed with key 687. Decryption operation 
689 reverses the encryption operation of block 669. 
and provides as an output a clear text version of 
key file 653. Likewise, machine identification file 
655 is supplied as an input to decryption operation 
697, which is keyed with key 695. Decryption op- 
eration 697 reverses the encryption of encryption 
operation 675 and provides as an output the clear 
text of machine identification file 655. In accor- 
dance with block 691, the machine identification of 
the source computer 651 is retrieved and recorded 
in memory in the clear text of key file 653. Next, 
the clear text of key file 653 is supplied as an input 
to encryption operation 699. Encryption operation 
699 is a conventional encryption operation, such as 
the DES operation, which is keyed with a target 
computer unique attribute, such as the machine 
identification or modified machine identification for 
the target computer 707. The clear text of machine 
identification file 655 is supplied as an input to 
encryption operation 703. Encryption operation 703 
Is any conventional encryption operation, such as 
the DES encryption operation, which is keyed with 
a unique target computer attribute 705, such as 
machine identification or modified machine iden- 
tification of target computer 707. The output of 
encryption operation 699 produces an encrypted 
key file 709 which includes a product key (which is 
the same temporary product key of key file 653 of 
source computer 651), a customer number (which 
is the same customer number of key file 653 of 
source computer 651), and clear machine iden- 
tification (which is the machine identification for 
target computer 707, and not that of source com- 
puter 651). trial interval data (which is identical to 
the trail interval data of key file 653 of source 651), 
and an identification of the machine identification of 
the source computer 651 . The output of encryption 
operation 703 defines machine identification file 
711, which includes the machine identification of 
the target computer 707 (and not that of the source 
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computer 651). and the trial interval data (which is 
identical to that of machine identification file 655 of 
source computer 651). 

Figures 32 and 33 provide alternative views of 
5 the import and export operations which are de- 
picted in Figures 30 and 31, and emphasize sev- 
eral of the important features of the present inven- 
tion. As is shown, source computer 801 includes 
machine identification file 803 which is encrypted 

70 with a system attribute key which is unique to the 
source computer 801. The machine identification 
file includes machine identification file number as 
well as count of the number of exports allowed for 
each protected software product, and a count of 

75 the total number of exports which have been uti- 
lized. For example, the first export operation carries 
a count of "1:10", which signifies that one export 
operation of ten permitted export operations has 
occurred. In the next export operation, the counter 

20 is incremented to "2:20" which signifies that two of 
the total number of ten permitted export operations 
has occurred. Each target computer which receives 
the results of the export operation is tagged with 
this particular counter value, to identify that it is the 

26 recipient of a particular export operation. For exam- 
ple, one source computer system may carry a 
counter value of "1:10", which signifies that it is the 
recipient of the first export operation of ten permit- 
ted export operations. Yet another target computer 

30 may carry the counter value of "7:10", which sig- 
nifies that this particular target computer received 
the seventh export operation of a total of ten per- 
mitted export operations. In this fashion, the target 
computer maintains a count of a total number of 

35 used export operations, while the source comput- 
ers each carry a different counter value which 
identifies it a the recipient of the machine iden- 
tification file and key file from the source computer 
from particular ones of the plurality of permitted 

40 export operations. 

Note that in source computer 801 machine 
identification file 803 and key file 805 are encryp- 
ted with an encryption algorithm which utilizes as a 
key a system attribute which is unique to source 

45 computer 801; however, once machine identifica- 
tion file 803 and key file 805 are transferred to a 
memory media, such as export key diskette 807, 
machine identification file 809 and key file 811 are 
encrypted in any conventional encryption operation 

50 which utilizes as an encryption key a unique dis- 
kette attribute, such as the diskette's serial number. 
This minimizes the possibility that the content of 
the machine ID file 809 and/or key file 811 can be 
copied to another diskette or other memory media 

55 and then utilized to obtain unauthorized access to 
the software products. This is so because for an 
effective transfer of the content of machine ID file 
809 and key file 81 1 to a target computer to occur. 
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the target computer must be able to read and 
utilize the unique diskette attribute from the export 
key diskette 807. Only when the machine ID file 
809 and key file 811 are presented to a target 
computer on the diskette onto which these items 
were copied can an effective transfer occur. The 
presentation of the machine ID file 809 and key file 
811 on a diskette other than export key diskette 
807 to a potential target computer will result in the 
transfer of meaningless information, since the 
unique attribute of export key diskette 807 (such as 
the diskette serial number) is required by the target 
computer in order to successfully accomplish the 
decryption operation. 

As is shown in Figure 33, export key diskette 
807is presented to target computer 813. Of course, 
the machine identification file 809 and key file 811 
are in encrypted form. In the transfer from export 
key diskette 807 to target computer 813, the con- 
tent of machine ID file 809 is updated with the 
machine identification of the target computer 813, 
and the count of imports utilized. In accomplishing 
the transfer to target computer 813, a machine 
identification file 815 is constructed which includes 
a number of items such as machine identification 
for the target computer 813. customer information, 
as well as a list of the machine identification num- 
ber of the source computer 801. Both machine 
identification file 815 and the key file 817 are 
encrypted utilizing a conventional encryption opera- 
tion which uses as a key a unique attribute of 
target computer 813. This ties machine identifica- 
tion file 815 and key file 817 to the particular target 
computer 813. 

By using an export/import counter to keep 
track of the total number of authorized ex- 
port/import operations, and the total number of 
used export/import operations, the present inven- 
tion creates an audit trail which can be utilized to 
keep track of the distribution of software products 
during the trial interval. Each source computer will 
carry a record of the total number of export oper- 
ations which have been performed. Each source 
computer will carry a record of which particular 
export/import operation was utilized to transfer one 
or more protected software products to the target 
computer. The memory media utilized to accom- 
plish the transfer (such as a diskette, or group of 
diskettes) will carry a permanent record of the 
machine identification numbers of both the source 
computer and the target computer's utilized in all 
export/import operations. 

The procedure for implementing export and 
import operations ensures that the protected soft- 
ware products are never exposed to unnecessary 
risks. When the machine identification file and key 
file are passed from the source computer to the 
export diskette, they are encrypted with the unique 



attribute of the export diskette which prevents or 
inhibits copying of the export diskette or posting of 
its contents to a bulletin board as a means for 
illegally distributing the keys. During the import 
5 operations, the machine identification and key files 
are encrypted with system attributes which are 
unique to the target computer to ensure that the 
software products are maintained in a manner 
which is consistent with the security of the source 

10 computer, except that those software products are 
encrypted with attributes which are unique to the 
target computer, thus preventing illegal copying 
and posting of the keys. 

The second embodiment of the export/import 

75 function is depicted in block diagram form in Fig- 
ures 34 and 35. In broad overview, memory media 
1677 is first utilized to interact with target computer 
1707 to obtain from target computer 1707 a trans- 
fer key which is unique to target computer 1707, 

20 and which is preferably derived from one or more 
unique system attributes of target computer 1707. 
The transfer key may be a modification of the 
machine identification for target computer 1707. 
Next, the memory media 1677 is utilized to interact 

25 with source computer 1651 in an export mode of 
operation, wherein key file 1653 and machine iden- 
tification file 1655 are first decrypted, and then 
encrypted utilizing the transfer key. 

Figure 34 is a block diagram depiction of an 

30 export operation in accordance with the preferred 
embodiment of the present invention. As is shown, 
source computer 1651 includes a key file 1653 and 
a machine identification file 1655. Key file 1653 
includes the product key, the customer key, the 

35 clear text of the machine identification for source 
computer 1653, trial interval data (such as a clock 
and/or counter which define the trial interval pe- 
riod), and an export counter which performs the 
dual functions of defining the maximum number of 

40 export operations allowed for the particular pro- 
tected software products and keeping track of the 
total number of export operations which have been 
accomplished. The machine identification file in- 
cludes the machine identification number and trial 

45 interval data (such as a clock and/or counter which 
defines the trial interval period). Both key file 1653 
and machine identification file 1655 are encrypted 
with any conventional encryption operation (such 
as the DES algorithm), which is keyed with a key 

50 which is derived from a unique system attribute of 
source computer 1651. At the commencement of 
an export operation, key file 1653 and machine 
identification file 1655 are decrypted. Key file 1653 
is supplied as an input to decryption operation 

65 1657 which is keyed with key 1659. Likewise, ma- 
chine identification file 1655 is supplied as an input 
to decryption operation 1663 which is keyed with 
key 1661. Decryption operations 1657, 1663 gen- 
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erate a clear text version of key file 1653 and 
machine identification file 1655. Once the clear text 
is obtained, the export counter which is contained 
within key file 1653 is modified in accordance with 
block 1661. For example, If this is the seventh 
permitted export operation out of ten permissible 
operations, the counter might read "7:10". The 
clear text version of key file 1653 is supplied as an 
input to encryption operation 1669. Encryption op- 
eration 1669 may be any conventional encryption 
operation (such as the DES algorithm), which is 
keyed with the transfer key 1665 which was pre- 
viously obtained. The same operation is performed 
for the clear text of machine identification file 1655. 
Transfer key 1671 is utilized as a key for encryp- 
tion operation 1675, which may comprise any con- 
ventional encryption operation, such as the DES 
operation. Finally, the output of encryption oper- 
ations 1669 and 1675 are supplied as inputs to 
copy operations 1679, 1681 which copy the en- 
crypted key file 1653 and machine identification file 
1655 to memory media 1677. 

Figure 35 is a block diagram depiction of an 
import operation. Memory media 1677 (of Figure 
34) is physically removed from source computer 
1651 (of Figure 34) and physically carried over to 
computer 1707 (of Figure 35); alternatively, in a 
distributed data processing system, this transfer 
may occur without the physical removal of memory 
media 1677. With reference now to Figure 35, in 
accordance with block 1683, the machine iden- 
tification of the target machine is copied to memory 
media 1677 to maintain a record of which particular 
target computer received the key file and machine 
identification file. Then, in accordance with blocks 
1685, 1693 the encrypted key file 1653 and ma- 
chine identification file 1655 are copied from the 
memory media to target computer 1707. The en- 
crypted key file 1653 is supplied as an input to 
decryption operation 1689 which is keyed with key 
1687. Decryption operation 1689 reverses the en- 
cryption operation of block 1669, and provides as 
an output a clear text version of key file 1653. 
Likewise, machine identification file 1655 is sup- 
plied as an input to decryption operation 1697, 
which is keyed with key 1695. Decryption operation 
1697 reverses the encryption of encryption opera- 
tion 1675 and provides as an output the clear text 
of machine identification file 1655. In accordance 
with block 1691, the machine identification of the 
source computer 1651 is retrieved and recorded in 
memory in the clear text of key file 1653. Next, the 
clear text of key file 1653 is supplied as an input to 
encryption operation 1699. Encryption operation 
1699 Is a conventional encryption operation, such 
as the DES operation, which is keyed with a target 
computer unique attribute, such as the machine 
identification or modified machine identification for 



the target computer 1707. The clear text of ma- 
chine identification file 1655 is supplied as an input 
to encryption operation 1703. Encryption operation 
1703 is any conventional encryption operation, 

5 such as the DES encryption operation, which is 
keyed with a unique target computer attribute 1705, 
such as machine identification or modified machine 
identification of target computer 1707. The output 
of encryption operation 1699 produces an encryp- 

10 ted key file 1709 which includes a product key 
(which is the same temporary product key of key 
file 1653 of source computer 1651), a customer 
number (which is the same customer number of 
key file 1653 of source computer 1651), and clear 

15 machine identification (which is the machine iden- 
tification for target computer 1707, and not that of 
source computer 1651), trial interval data (which is 
identical to the trail interval data of key file 1653 of 
source 1651), and an identification of the machine 

20 identification of the source computer 1651. The 
output of encryption operation 1703 defines ma- 
chine identification file 1711, which includes the 
machine identification of the target computer 1707 
(and not that of the source computer 1651), and 

25 the trial interval data (which is identical to that of 
machine identification file 1655 of source computer 
1651). 

While the invention has been particularly 
shown and described with reference to a preferred 
30 embodiment, it will be understood by those skilled 
in the art that various changes in form and detail 
may be made therein without departing from the 
spirit and scope of the invention. 

35 Claims 

1. A method in a data processing system of se- 
curing access to particular files which are 
stored in a computer-accessible memory me- 
40 dia, comprising the method steps of: 

providing a file management program as an 
operating system component of said data pro- 
cessing system; 

storing a plurality of files including at least one 
45 encrypted file and at least one unencrypted file 

in said computer-accessible memory media; 
for each of said at least one encrypted file; 
(a) recording in memory a preselected por- 
tion of said file; 
50 (b) generating a decryption block which in- 

cludes information which can be utilized to 
decrypt said file; 

(c) incorporating said decryption block in 
said file in lieu of said preselected portion; 
55 utilizing said file management program to (a) 

monitor data processing system calls for a 
called file stored In said computer-accessible 
memory media, and (b) determine whether 



20 



BNSDOCID: <EP 0681233A1_I_> 



37 



EP 0 681 233 A1 



38 



said called file has an associated decryption 
block, and (c) process said called file in a 
particular manner dependent upon whether or 
not said called file has an associated decryp- 
tion block. 

2. A nnethod according to Clainn 1 : 

wherein each of said at least one encrypted 
file is defined by a particular file size; 
wherein incorporation of said decryption block 
does not change said particular file size for 
each of said at least one encrypted file. 

3. A nnethod according to Clainn 1 or 2: 
wherein each of said plurality of files is defined 
by a particular file name; 

wherein said data processing system utilizes 
said particular file name to call for each of said 
plurality of files without regard to whether or 
not it is encrypted. 

4. A method according to one of Claims 1 to 3, 
further comprising: 

maintaining said at least one encrypted file in 
an encrypted condition for an interval which 
defines a customer trial period; and thereafter 
replacing said preselected portion in said at 
least one encrypted file in lieu of said decryp- 
tion block; and 

decrypting said at least one encrypted file. 

5. A method according to one of Claims 1 to 4, 
wherein said step of generating a decryption 
block comprises: 

combining (a) a unique identifier for each of 
said at least one encrypted file, with at least 
(b1) an address to said preselected portion 
for each of said at least one encrypted file; 
or 

(b2) a name for a key file which contains 
decryption keys for each of said at least 
one encrypted file; or 

(b3) a validation segment composed of an 
encrypted segment of each of said at least 
one encrypted file; or 

(b4) an identifier of which particular one of a 
plurality of available encryption operations 
has been utilized to encrypt said at least 
one encrypted file. 

6. A method according to one of Claims 1 to 5, 
wherein said step of utilizing said file manage- 
ment program to process said called file in- 
cludes at least one of: 

(a) intercepting said called file; 

(b) utilizing said decryption block to derive a 
name for a key file and reading a key for 
said called file; 



(c) decrypting a validation segment of said 
decryption block, and comparing to a se- 
lected segment of said called file, and con- 
tinuing operations only if said decrypted 

5 validation segment matches said selected 

segment; and 

(d) dynamically decrypting said called file 
as it is passed for further processing. 

10 7. An apparatus in a data processing system of 
securing access to particular files which are 
stored in a computer-accessible memory me- 
dia, comprising: 

a file management program which is a compe- 
ls nent of an operating system of said data pro- 
cessing system which operates to (a) monitor 
data processing system calls for a called file 
stored in said computer-accessible memory 
media, and (b) determine whether said called 
20 file has an associated decryption block, and (c) 
process said called file in a particular manner 
dependent upon whether or not said called file 
has an associated decryption block; 
a plurality of files including at least one en- 
25 crypted file and at least one unencrypted file, 
stored in said computer-accessible memory 
media with each encrypted file including: 
(a) a preselected portion of said file re- 
corded in memory in a side file; and 
30 (b) a decryption block which includes in- 
formation which can be utilized to decrypt 
said file which is positioned in said encryp- 
ted file in lieu of said preselected portion. 

35 8. An apparatus according to Claim 7: 

wherein each of said at least one encrypted 
file is defined by a particular file size; 
wherein incorporation of said decryption block 
does not change said particular file size for 

40 each of said at least one encrypted file. 

9. An apparatus according to Claim 7 or 8: 

wherein each of said plurality of files is defined 
by a particular file name; 
45 wherein said data processing system utilizes 

said particular file name to call for each of said 
plurality of files without regard to whether or 
not it is encrypted. 

50 10. An apparatus according to one of Claims 7 to 
9, further comprising: 

means for maintaining said at least one en- 
crypted file in an encrypted condition for an 
interval which defines a customer trial period; 
55 and 

means for replacing said preselected portion in 
said at least one encrypted file in lieu of said 
decryption block; and 
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means for decrypting said at least one encryp- 
ted file. 

11. An apparatus according to one of Claims 7 to 

10, wherein said decryption block includes: 5 
(a) a unique identifier for each of said at 
least one encrypted file, and 

(b1) an address to said preselected portion 
for each of said at least one encrypted file; 
or 10 
(b2) an address for a key file which contains 
decryption keys for each of said at least 
one encrypted file; or 

(b3) a validation segment composed of an 
encrypted segment of each of said at least 75 
one encrypted file; or 

(b4) an identifier of which particular one of a 
plurality of available encryption operations 
has been utilized to encrypt said at least 
one encrypted file. 20 

12. An apparatus according to one of Claims 7 to 

11, wherein saidfile management program is 
utilized to process said called file by perform- 
ing at least one of: 25 

(a) intercepting said called file; 

(b) utilizing said decryption block to derive 
an address for a key file and reading a key 
for said called file; 

(c) decrypting a validation segment of said 30 
decryption block, and comparing it to a se- 
lected segment of said called file, and con- 
tinuing operations only if said decrypted 
validation segment matches said selected 
segment; and 35 

(d) dynamically decrypt said called file as it 
is passed for further processing. 
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